2 files changed, 18 insertions, 9 deletions

diff --git a/imap-dl b/imap-dl
index 83ce84f..4f5abbb 100755
--- a/imap-dl
+++ b/imap-dl
@@ -185,12 +185,21 @@ def scan_msgs(configfile:str, verbose:bool) -> None:
                            port=int(conf.get('retriever', 'port', fallback=993)),
                            ssl_context=ctx) as imap:
         username:str = conf.get('retriever', 'username')
-        use_kerberos = conf.getboolean('retriever', 'use_kerberos',
-                                       fallback=False)
-        if use_kerberos:
+        authentication:str = conf.get('retriever', 'authentication',
+                                      fallback='basic')
+        # FIXME: have the default automatically choose an opinionated
+        # best authentication method.  e.g., if the gssapi module is
+        # installed and the user has a reasonable identity in their
+        # local credential cache, choose kerberos, otherwise, choose
+        # "basic".
+        if authentication == 'kerberos':
             auth_gssapi(username, imap, conf, server)
-        else:
+        elif authentication == 'basic':
             auth_builtin(username, imap, conf, server)
+        else:
+            # FIXME: implement other authentication mechanisms
+            raise Exception(f'retriever.authentication should be one of:\n'
+                            '"basic" or "kerberos", got "{authentication}"')
 
         if verbose: # only enable debugging after login to avoid leaking credentials in the log
             imap.debug = 4
diff --git a/imap-dl.1.pod b/imap-dl.1.pod
index 5864267..88e3129 100644
--- a/imap-dl.1.pod
+++ b/imap-dl.1.pod
@@ -43,14 +43,14 @@ options:
 
 B<retriever.server> is the dns name of the mailserver.
 
+B<retriever.authentication> is either "basic" (the default, using the
+IMAP LOGIN verb) or "kerberos" (IMAP AUTHENTICATE with GSSAPI,
+requires the python3-gssapi module).
+
 B<retriever.username> is the username of the IMAP account.
 
 B<retriever.password> is the password for the IMAP account when using
-plaintext passwords.
-
-B<retriever.use_kerberos> (boolean) requests that Kerberos (through GSSAPI) is
-to be used instead of password-based auth.  There is no need to specify
-password when using Kerberos.  This requires the python3-gssapi module.
+B<retriever.authentication> is set to "basic".
 
 B<retriever.ssl_ciphers> is an OpenSSL cipher string to use instead of the
 defaults.  (The defaults are good; this should be avoided except to work